Description

Security researcher Seb Patane reported that the Mozilla
Updater does not write-lock the MAR update file when it is in use by the
Updater. This leaves open the possibility of altering the contents of the MAR
file after the signature on the file has been verified as valid but before it
has been used. This could allow an attacker with access to the local system to
silently replace the contents of the update MAR file and either replace the
installed software with their own or extract and run executables files with the
same privileges as that of the Mozilla Updater.